I don’t know much about Ms. Spears. I’ve no idea who she’s paired with at the moment. And if I saw an Enquirer headline that read, “North Woods Shocker: Britney Marries Bigfoot,” I would not be tempted to buy a copy. But a lot of people are  curious about celebrities like Britney Spears or Kim Kardashian or Maria Shriver. In several incidents in recent years, their curiosity has cost them their jobs in healthcare.

Today I’m going to talk about what can be learned about HIPAA compliance from cases like that — even if the only celebrity who ever visits your office is the local weatherman from Channel 5.

In 2008 UCLA Medical Center fired 13 employees and suspended six others for unauthorized access to the confidential medical records of Britney Spears.

Following complaints by two unnamed celebrities that their medical records had been compromised, in 2009 the Office of Civil Rights (OCR) launched a larger investigation into the entire UCLA Health System. The probe revealed that from 2005 to 2008, several employees, who had no right to access records, looked at the electronic protected health information of many patients the system served. Those employees lost their jobs and the UCLA Health System agreed to pay a fine of $865,000, as well as institute corrective actions.

Commenting on such cases, Georgina Verdugo, OCR Director, said, “Employees must clearly understand that casual review for personal interest of patients’ protected health information is unacceptable and against the law.” Healthcare facilities, she added, “will be held accountable for employees who access protected health information to satisfy their own personal curiosity.”

Lesson Two: HIPAA is meant to safeguard everyone’s Protected Health Information

Every community has its own “celebrities” — well-known local folks whose private lives and medical records would be of interest to certain people around town. Some of those people are motivated mainly by curiosity or the love of gossip. Others might have more sinister motives.

The point is, all patients — whether they’re rich-and-famous or not-well-known-at-all or even down-and-out — have a fundamental right to medical privacy. No patient should have to worry about who is viewing their health information.

Lesson Three: Take these steps and keep your practice out of the HIPAA headlines

The best way to protect patient records is through educating the staff on the importance of confidentiality, monitoring for HIPAA compliance, and taking appropriate disciplinary action when safeguards are ignored or circumvented. The following steps will lessen the risk of anyone’s PHI — not just a celebrity’s — being compromised:

  • Review the audit trail/log on your computers regularly. (An audit trail provides documented evidence of the sequence of activities that have affected a specific operation at any time. In an upcoming blog I plan to talk more about audit trails and what they can mean for a practice.)
  • Investigate suspicious access. 
  • Take swift and definitive action when you find evidence that someone’s been snooping without authorization into patient information.

The confidentiality of patient information is fundamental to the practice of good medicine or good dentistry. Make sure your staff respects that principle as much as you do. Who knows? Maybe someday Tom Cruise will thank you.

Watch Movie Online Logan (2017)